SPF record

What is a SPF record?

A SPF record (Sender Policy Framework record) is the core of a SPF implementation in which the SPF policy is defined. A SPF record is published in the DNS (Domain Name Service) and it contains a list of authorised email servers which can send email on behalf of your domain name. If an email sender isn’t listed in the record section and does send email on behalf of your domain this email could be considered not legit and can be rejected by the mail receiver.

Having proper setup SPF record will improve email deliverability and will help to protect your domain against malicious emails sent on behalf of your domain. Though, in practice these goals are achieved more effective if you use a SPF record together with DMARC. DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.

SPF record in practice

A SPF record consists of several parts. It should always start with a version number and should be followed by one or more mechanisms which define valid senders.

v=spf1This part defines the record as SPF. A SPF record has to start with this section. These used to be an second version of SPF (SenderID) which was created by Microsoft, but this was deprecated.

MechanismsA SPF record can contain multiple mechanisms.

a
a:somedomain.com
a/prefix
a:somedomain.com/prefix
Define the DNS A record of the current (or specified) domain as a valid sending source.

mx
mx:somedomain.com
mx/prefix
mx:somedomain.com/prefix
Define the DNS MX record of the current (or specified) domain as a valid sending source.

include:domain.com
Include the SPF record for this domain as valid sending sources.

exists:domain
Check existence of an A record for a provided domain. You can use macro’s in this context to be able to do a ‘dynamic’ lookup of such a record.

all
You can define a policy for ‘all other sources’ using the ‘all’ mechanism. You should place this at the end of your SPF record providing a ‘default’ for other sources. Use a qualifier to define the policy you want to apply.

redirect=domain.com
When required you can redirect the SPF record to another domain. There can only be one modifier in each SPF record. This can not be combined with an ‘all’ mechanism as the redirect will only be followed if none of the mechanisms match.

Maximum number of lookups
When using SPF you need to take note of a limitation in this technique. The number of DNS lookups which are allowed to take place is limited to 10.

A DNS lookup is done when you query for one of these mechanisms:

a

mx

ptr

include

exists

Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.

Protect your email with DMARC using DMARC Analyzer

DMARC Analyzer – trusted by 10.000+ businesses in over 100 countries

About DMARC Analyzer

Do you want to secure your domain from phishing and improve your domain reputation? Do you already have insight in who is sending mail on behalf of your domains? Start working with DMARC Analyzer to implement DMARC and answer these questions.